commit e9336feb14168ff74aa4eb27b2c498838fdbd25d
author Jiakai Zhang <jiakaiz@google.com> Tue Jan 17 21:11:10 2023 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Jan 17 21:11:10 2023 +0000
tree 9035d3fd70d5ab90561e98c2b5ec8a26430562d7
parent 6455f4fb3b713f7a33080305c90a8e0529d40b99
parent 615843c502a898541b95d1c8f19be1dd08ebb93d

Allow artd to create dirs and files for artifacts before restorecon. am: 7789460457 am: 5a6771ccb7 am: 615843c502

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2388476

Change-Id: I6da1701de98d6a8e6d66c2f0b1e8d23c485a38cc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

private/artd.te

diff --git a/private/artd.te b/private/artd.te
index c887258..ef54d8c 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -31,8 +31,10 @@
 
 # Read access to primary dex'es on writable partitions
 # ({/data,/mnt/expand/<volume-uuid>}/app/...).
+# Also allow creating the "oat" directory before restorecon.
 allow artd mnt_expand_file:dir { getattr search };
-r_dir_file(artd, apk_data_file)
+allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_data_file:file r_file_perms;
 
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
@@ -46,8 +48,8 @@
 
 # Read/write access to all compilation artifacts generated on device for apps'
 # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-allow artd dalvikcache_data_file:dir create_dir_perms;
-allow artd dalvikcache_data_file:file create_file_perms;
+allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow artd dalvikcache_data_file:file { create_file_perms relabelto };
 
 # Read access to the ART APEX data directory.
 # Needed for reading the boot image generated on device.